TT Malware Log

マルウェア / サイバー攻撃 / 解析技術 に関する「個人」の調査・研究ログ

APT27 (まとめ)

【概要】

■組織名

APT27 FireEye
Emissary Panda CroudStrike, nccgroup
Bronze Union SecureWorks
TG-3390 SecureWorks
ZipToken
ARCHERFISH
Iron Tiger
Group 35 Cisco
TEMP.Hippo
LuckyMouse kaspersky
Threat Group-3390

【ニュース】

◆Threat Group 3390 Cyberespionage (Secureworks, 2015/08/05)
https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
http://malware-log.hatenablog.com/entry/2015/08/05/000000_3

◆LuckyMouse uses malicious NDISProxy Windows driver to target gov't entities (ZDNet, 2018/09/10)
https://www.zdnet.com/article/luckymouse-targets-govt-entities-through-malicious-ndisproxy-driver/
http://malware-log.hatenablog.com/entry/2018/09/10/000000_5

◆Kaspersky Lab、サイバー犯罪組織「LuckyMouse」が盗んだ正規のデジタル証明書でマルウェアに署名し、攻撃に利用していることを確認 (産経新聞, 2018/09/18 14:44)
http://www.sankei.com/economy/news/180918/prl1809180243-n1.html
http://malware-log.hatenablog.com/entry/2018/09/18/185335

◆RSAC 2019: Bronze Union APT Updates Remote Access Trojans in Fresh Wave of Attacks (ThreatPost, 2019/02/27)
https://threatpost.com/bronze-union-apt-updates-remote-access-trojans-in-fresh-wave-of-attacks/142219/
http://malware-log.hatenablog.com/entry/2019/02/27/000000_4


【ブログ】

◆ThreatConnect identifies Chinese targeting of two companies. Economic espionage or military intelligence? (ThreatConnect, 2016/10/17)
https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/

◆BRONZE UNION Cyberespionage Persists Despite Disclosures (SecureWorks, 2017/06/27)
https://www.secureworks.com/research/bronze-union

◆Decoding network data from a Gh0st RAT variant (nccgroup, 2018/04/17)
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/

◆LuckyMouse hits national data center to organize country-level waterholing campaign (Kaspersky, 2018/06/13 10:00)
https://securelist.com/luckymouse-hits-national-data-center/86083/
http://malware-log.hatenablog.com/entry/2018/06/13/000000_2

◆Emissary Panda – A potential new malicious tool Introduction (nccgroup, 2018/05/18)
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/
http://malware-log.hatenablog.com/archive/2018/05/18

◆Chinese Hackers Carried Out Country-Level Watering Hole Attack (The Hacker News, 2018/06/14)
https://thehackernews.com/2018/06/chinese-watering-hole-attack.html

◆Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes” (Ars Technica, 2015/08/06 04:00)

Emissary Panda group penetrated the networks of industrial espionage targets.

https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/

◆LuckyMouse Group is back and using a legitimate certificate to sign malware (Kaspersky, 2018/09/10)
https://www.kaspersky.com/about/press-releases/2018_luckymouse-group-is-back-and-using-a-legitimate-certificate-to-sign-malware
http://malware-log.hatenablog.com/entry/2018/09/10/000000_4


【公開情報】

◆REGIONAL ADVANCED THREAT REPORT:Europe, Middle East and Africa 1H2015 (FireEye, 2015)
https://www.fireeye.com/content/dam/fireeye-www/partners/pdfs/rpt-regional-atr-emea-web-bt.pdf
http://malware-log.hatenablog.com/entry/2015/04/01/000000

【インディケータ情報】

■ハッシュ情報(MD5)

1cb4b74e9d030afbb18accf6ee2bfca1 HttpBrowser RAT dropper
b333b5d541a0488f4e710ae97c46d9c2 HttpBrowser RAT dropper
86a05dcffe87caf7099dda44d9ec6b48 HttpBrowser RAT dropper
93e40da0bd78bebe5e1b98c6324e9b5b HttpBrowser RAT dropper
f43d9c3e17e8480a36a62ef869212419 HttpBrowser RAT dropper
57e85fc30502a925ffed16082718ec6c HttpBrowser RAT dropper
4251aaf38a485b08d5562c6066370f09 HttpBrowser RAT dropper
bbfd1e703f55ce779b536b5646a0cdc1 HttpBrowser RAT dropper
12a522cb96700c82dc964197adb57ddf HttpBrowser RAT dropper
728e5700a401498d91fb83159beec834 HttpBrowser RAT dropper
2bec1860499aae1dbcc92f48b276f998 HttpBrowser RAT dropper
014122d7851fa8bf4070a8fc2acd5dc5 HttpBrowser RAT
0ae996b31a2c3ed3f0bc14c7a96bea38 HttpBrowser RAT
1a76681986f99b216d5c0f17ccff2a12 HttpBrowser RAT
380c02b1fd93eb22028862117a2f19e3 HttpBrowser RAT
40a9a22da928cbb70df48d5a3106d887 HttpBrowser RAT
46cf2f9b4a4c35b62a32f28ac847c575 HttpBrowser RAT
5436c3469cb1d87ea404e8989b28758d HttpBrowser RAT
692cecc94ac440ec673dc69f37bc0409 HttpBrowser RAT
6a39a4e9933407aef31fdc3dfa2a2a95 HttpBrowser RAT
8b4ed3b392ee5da139c16b8bca38ea5e HttpBrowser RAT
8ea5d8bb6b28191e4436456c35477e39 HttpBrowser RAT
9271bcfbba056c8f80c7f04d72efd62d HttpBrowser RAT
996843b55a7c5c7a36e8c6956e599610 HttpBrowser RAT
a554efc889714c70e9362bdc81fadd6a HttpBrowser RAT
c9c93c2d62a084031872aab96202ee3e HttpBrowser RAT
ddbdf0efdf26e0c267ef6155edb0e6b8 HttpBrowser RAT
e7df18a17d8e7c2ed541a57020444068 HttpBrowser RAT
ea4dcafc224f604c096032dde33a1d6d HttpBrowser RAT
f658bb17d69912404f34532901edad0e HttpBrowser RAT
f869a1b40f6438dfdd89e73480103211 HttpBrowser RAT
81ed752590752016cb1c12f3e9ab3454 HttpBrowser RAT
5ef719f8aeb9bf97beb24a5c2ed19173 HttpBrowser RAT
7ec91768376324be2bad4fd30b1c2051 HttpBrowser RAT
20c446ad2d7d1586138b493ecddfbbc7 HttpBrowser RAT
44cf0793e05ba843dd53bbc7020e0f1c HttpBrowser RAT
02826bb6636337963cc5162e6f87745e HttpBrowser RAT
1606ab7a54735af654ee6deb7427f652 HttpBrowser RAT
1539b3a5921203f0e2b6c05d692ffa27 HttpBrowser RAT
c66e09429ad6669321e5c69b1d78c082 HttpBrowser RAT
225e10e362eeee15ec64246ac021f4d6 HttpBrowser RAT
a631fc7c45cbdf80992b9d730df0ff51 HttpBrowser RAT
af785b4df71da0786bcae233e55cf6c1 HttpBrowser RAT
e3e0f3ad4ff3b981b513cc66b37583e8 HttpBrowser RAT
5cd0e97a1f09001af5213462aa3f7eb1 HttpBrowser RAT
15fd9c04d6099273a9acf8feab81acfe HttpBrowser RAT
ea8b9e0bf95fc0c71694310cb685cd3b HttpBrowser RAT
5c3ab475be110ec59257617ee1388e01 HttpBrowser RAT
6aac7417ea1eb60a869597af9049b8fa HttpBrowser RAT
372f5370085a63f5b660fab635ce6cd7 HttpBrowser RAT
fac4885324cb67bd421d6250fdc9533c HttpBrowser RAT
e7e555615a07040bb5dbe9ce59ac5d11 HttpBrowser RAT
ff34cb1d90d76a656546293e879afe22 HttpBrowser RAT
2abf7421c34c60d48e09325a206e720e HttpBrowser RAT
396b4317db07cc8a2480786160b33044 HttpBrowser RAT
e404873d3fcd0268db10657b53bdab64 HttpBrowser RAT
6e4189b20adb253b3c1ad7f8fdc95009 HttpBrowser RAT
bff424289c38d389a8cafb16b47dfe39 HttpBrowser RAT
7294c7f3860315d51f74152e8ad353df HttpBrowser RAT
40092f76fea082b05e9631d91975a401 HttpBrowser RAT
e42fce74bbd637c35320cf4e95f5e055 HttpBrowser RAT
d0dafc3716a0d0ce393cde30b2b14a07 HttpBrowser RAT
ae66bad0c7de88ab0ab1050c4bec9095 HttpBrowser RAT
c7c2be1cd3780b2ba4638cef9a5422c7 HttpBrowser RAT
405949955b1cb65673c16bf7c8da2f4d HttpBrowser RAT
ff4f052dbe73a81403df5e98313000fb HttpBrowser RAT
b30fcd362c7b8ac75b7dddfe6cb448c7 HttpBrowser RAT
1d24f4d20b80562de46a8ac95d0ff8c2 HttpBrowser RAT
9538bbdb3a73201b40296e9d4dc80ade HttpBrowser RAT
46bb2caeda30c09a6337fd46ec98c32c HttpBrowser RAT
0c8842e48e80643d91dd290d0f786147 HttpBrowser RAT
0fc975c3c4e6c546b4f2b5aaed50dd78 HttpBrowser RAT
41be449f687828466ed7d87f0f30a278 HttpBrowser RAT
2b95caf3307ebd36cf405b1133b30aa8 HttpBrowser RAT
ccc715a4d9d0157b9776deacdb26bf78 HttpBrowser RAT
37933acfa8d8e78c54413d88ca705e17 HttpBrowser RAT
2813c5a1c87f7e3d33174fed8b0988a1 HttpBrowser RAT
8f22834efe52ccefb17e768569eb36b9 HttpBrowser RAT
6f01628a0b5de757a8dbe99020499d10 HttpBrowser RAT
7f8d9f12f41156512b60ab17f8d85fe9 HttpBrowser RAT
debe5ef2868b212f4251c58be1687660 HttpBrowser RAT
e136d4ebab357fd19df8afe221460571 HttpBrowser RAT
a86a906cfafaf1d7e3725bb0161b0cfe HttpBrowser RAT
03e1eac3512a726da30fff41dbc26039 HttpBrowser RAT
baac5e5dd3ce7dae56cab6d3dac14e15 HttpBrowser RAT
0f7dde31fbeb5ddbb6230c401ed41561 HttpBrowser RAT
36d957f6058f954541450f5a85b28d4b HttpBrowser RAT
42d874f91145bd2ddf818735346022d8 HttpBrowser RAT
3468034fc3ac65c60a1f1231e3c45107 HttpBrowser RAT
4e3b51a6a18bdb770fc38650a70b1883 HttpBrowser RAT
3647068230839f9cadf0fd4bd82ade84 HttpBrowser RAT
550922107d18aa4caad0267997709ee5 HttpBrowser RAT
d8f0a6450f9df637daade521dc90d29d HttpBrowser RAT
bf2e2283b19b0febc4bd1f47aa82a94c HttpBrowser RAT
d0eec2294a70ceff84ca8d0ed7939fb5 HttpBrowser RAT
e91d2464c8767552036dd0294fc7e6fb HttpBrowser RAT
f627bc2db3cab34d97c8949931cb432d HttpBrowser RAT
b313bbe17bd5ee9c00acff3bfccdb48a PlugX RAT dropper
f7a842eb1364d1269b40a344510068e8 PlugX RAT dropper
8dacca7dd24844935fcd34e6c9609416 PlugX RAT dropper
7cffd679599fb8579abae8f32ce49026 PlugX RAT dropper
462fd01302bc40624a44b7960d2894cd PlugX RAT dropper


■ドメイン情報

  • american.blackcmd.com
  • api.apigmail.com
  • apigmail.com
  • backup.darkhero.org
  • bel.updatawindows.com
  • binary.update-onlines.org
  • blackcmd.com
  • castle.blackcmd.com
  • ctcb.blackcmd.com
  • darkhero.org
  • dav.local-test.com
  • test.local-test.com
  • dev.local-test.com
  • ocean.local-test.com
  • ga.blackcmd.com
  • helpdesk.blackcmd.com
  • helpdesk.csc-na.com
  • helpdesk.hotmail-onlines.com
  • helpdesk.lnip.org
  • hotmail-onlines.com
  • jobs.hotmail-onlines.com
  • justufogame.com
  • lnip.org
  • local-test.com
  • login.hansoftupdate.com
  • long.update-onlines.org
  • longlong.update-onlines.org
  • longshadow.dyndns.org
  • longshadow.update-onlines.org
  • longykcai.update-onlines.org
  • lostself.update-onlines.org
  • mac.navydocument.com
  • mail.csc-na.com
  • mantech.updatawindows.com
  • micr0soft.org
  • microsoft-outlook.org
  • mtc.navydocument.com
  • navydocument.com
  • mtc.update-onlines.org
  • news.hotmail-onlines.com
  • oac.3322.org
  • ocean.apigmail.com
  • pchomeserver.com
  • registre.organiccrap.com
  • security.pomsys.org
  • services.darkhero.org
  • sgl.updatawindows.com
  • shadow.update-onlines.org
  • sonoco.blackcmd.com
  • test.logmastre.com
  • up.gtalklite.com
  • updatawindows.com
  • update-onlines.org
  • update.deepsoftupdate.com
  • update.hancominc.com
  • update.micr0soft.org
  • update.pchomeserver.com
  • urs.blackcmd.com
  • wang.darkhero.org
  • webs.local-test.com
  • word.apigmail.com
  • wordpress.blackcmd.com
  • working.blackcmd.com
  • working.darkhero.org
  • working.hotmail-onlines.com
  • www.trendmicro-update.org
  • www.update-onlines.org
  • x.apigmail.com
  • ykcai.update-onlines.org
  • ykcailostself.dyndns-free.com
  • ykcainobody.dyndns.org
  • zj.blackcmd.com
  • laxness-lab.com
  • google-ana1ytics.com
  • www.google-ana1ytics.com
  • ftp.google-ana1ytics.com
  • hotmailcontact.net

■IPアドレス

  • 208.115.242.36
  • 208.115.242.37
  • 208.115.242.38
  • 66.63.178.142
  • 72.11.148.220
  • 72.11.141.133
  • 74.63.195.236
  • 74.63.195.236
  • 74.63.195.237
  • 74.63.195.238
  • 103.24.0.142
  • 103.24.1.54
  • 106.187.45.162
  • 192.151.236.138
  • 192.161.61.19
  • 192.161.61.20
  • 192.161.61.22
  • 103.24.1.54
  • 67.215.232.179
  • 96.44.177.195
  • 49.143.192.221
  • 67.215.232.181
  • 67.215.232.182
  • 96.44.182.243
  • 96.44.182.245
  • 96.44.182.246
  • 49.143.205.30

■ハッシュ情報(MD5)

  • 3BEA073FA50B62C561CEDD9619CD8425

■ハッシュ情報(Sha256)

SHA-256 Filename
EE04B324F7E25B59D3412232A79D1878632D6817C3BB49500B214BF19AFA4E2C Mozilla.exe
0BA49FEB7784E6D33D821B36C5C669D09E58B6795ACA3EEBBF104B763B3B3C20 Updateproxy.dll
33B7407E534B46BF8EC06D9F45ECD2D3C7D954340669E94CD7CEDCBAE5BAD2DD Telnet.dll
6160AF383794212B6AD8AB9D6D104BBE7AEFB22410F3AB8EA238F98DABFC48B7 Socks.dll
C63B01C40038CA076072A35913F56D82E32FCEE3567650F3392B5C5DA0004548 Shell.dll
D51EC4ACEAFA971E7ABD0CF4D27539A4212A448268EF1DB285CD9CE9024D6EB3 Session.dll
BD8086DE44E16EFDD380E23E49C4058D956538B01E1AE999B679B6B76B643C7D Screen.dll
B44A9545B697B4D46D5B96862A6F19EA72F89FED279F56309B2F245AC8380BE0 Port.dll
F4DF97108F18654089CFB863F2A45AA41D17A3CE8A44CCCC474F281A20123436 File.dll
D31D38403E039F5938AE8A5297F35EB5343BB9362D08499B1E07FAD3936CE6F7 ConEmu.exe
A591D4D5B8D23FF12E44A301CE5D4D9BF966EBA0FC0068085B4B4EC3CE352963 Noodles.exe
EEBFF21DEF49AF4E85C26523AF2AD659125A07A09DB50AC06BD3746483C89F9D Coal.exe (Malicious executable)
97B9D7E16CD6B78A090E9FA7863BD9A57EA5BBE6AE443FA788603EEE5DA0BFC3 Abg.exe (Malicious executable)
B6C21C26AEF75AD709F6C9CFA84BFA15B7EE709588382CE4BC3544A04BCEB661 23d.exe (Malicious executable)
DB9B9FA9EFA53662EC27F4B74B79E745F54B6C30C547A4E5BD2754E9F635F6DB 89d.exe (Malicious executable)


■IPアドレス(C&C)

  • 23.227.207.137
  • 89.249.65.194


■ファイル

  • C:\ProgramData\HIDMgr
  • C:\ProgramData\Rascon
  • C:\ProgramData\TrkSvr


■サービス

  • HIDMgr
  • RasconMan
  • TrkSvr


■レジストリ

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

(以上は nccgroupの情報。 引用元は https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/)



■マルウェア情報

MD5 3bea073fa50b62c561cedd9619cd8425
SHA1 ae917a61cb01df3906472b3140193c1ef62f8d75
SHA256 df7bafe27b2ac5121d3c46405f7c168453dbc09200049d693dceff6c4b59b2db
SHA512
SSDEEP 768:8kTUqTrSxd1WaNmN+NoF4P2MBL/enc8RGIcA2YvrK3gHLXokP:LwqCd1dINmEYYBGIcA2UK3Mok
authentihash 8e313f41dc7e65a09f3b2b944cdc53276e01988e85834bb3053d23b9d7eb5013
imphash e62620335bb00fe44ca7fe6a8bd55a4b
File Size 86016 bytes
File Type Win32 EXE (PE32 executable for MS Windows (GUI) Intel 80386 32-bit)
コンパイル日時 2015-06-30 10:29:41
Debug Path
File Name
File Path
生成ファイル
特徴
参考情報 https://www.virustotal.com/ja/file/df7bafe27b2ac5121d3c46405f7c168453dbc09200049d693dceff6c4b59b2db/analysis/

◆ハッシュ情報(MD5)

  • 22CBE2B0F1EF3F2B18B4C5AED6D7BB79
  • 0D0320878946A73749111E6C94BF1525
  • ac337bd5f6f18b8fe009e45d65a2b09b
  • 04dece2662f648f619d9c0377a7ba7c0

◆FQDN

  • bbs.sonypsps[.]com
  • update.iaacstudio[.]com
  • wh0am1.itbaydns[.]com
  • google-updata[.]tk
  • windows-updata[.]tk

Copyright (C) 谷川哲司 (Tetsuji Tanigawa) 1997 - 2019